ICS Anomaly Detection: Finding the Right Needle in the Relevant Electric Haystack

Power generation, substation and electric grid operators and many other critical infrastructure sectors typically use equipment from a heterogenous assortment of vendors. This equipment runs thousands of real-time processes generating a huge volume of data. Increasing the interconnectedness and digitization of these systems is a pillar of improved operational efficiencies, however, it isn’t risk free.

Analyzing and monitoring this data to detect anomalies that might be caused by a cyberattack is akin to searching for a needle, in thousands or even millions of haystacks. While it might seem mission impossible, ignoring the problem isn’t an option. Organizations need to find a way to detect anomalies in their ICS environment as a foundation for reliable and resilient power delivery.

Power system cyber threats are now recognized as core risks to safely functioning societies, economic stability and business continuity. They are also cited among the top issues keeping energy leaders around the world awake at night. Furthermore, governments are increasing their focus on critical infrastructure cybersecurity, an example of which is the 2017 U.S. Presidential Order on Cybersecurity.

To improve cyber resiliency many utilities are evaluating options for augmenting the cybersecurity of their industrial control system (ICS) networks. That said, real-time visibility of cybersecurity attacks, risks and incidents of these large, heterogeneous, high availability industrial systems poses a unique challenge.

Technical Challenge

Many electric utilities have hundreds or even thousands of substations and they are critical for realizing the efficiency and adaptability vision of the smart grid. With the smart grid, information about consumption and operations needs to be sent back to a central point for analysis by energy management systems and substation automation systems, requiring two-way communication of data.

To facilitate this, the communications networks of substations are being retooled to facilitate connectivity with multiple systems. The preferred networking technologies are based on Ethernet and TCP/IP, and adhere to the IEC 61850 standards.

Modern substation systems need to support interoperability and deliver high reliability and availability. They also need to do this while addressing increasing concerns about cybersecurity.

Security with Zero Impact

Passive monitoring devices solve an important part of the SCADA (supervisory control and data acquisition) security problem by automatically identifying industrial assets and providing comprehensive, real-time cybersecurity and visibility of industrial control networks. They should provide optimal performance while monitoring thousands of substations and assets across low bandwidth networks.

However, delivering this functionality requires overcoming significant technical challenges. For starters, electric power generation systems and grids are characterized by large geographic areas, which similarly means a substantial amount of infrastructure. Asset tracking, including their real-time status, results in large volumes of data that needs to be mined to identify anomalous incidents.

Advanced computer science techniques – such as artificial intelligence (AI) and machine learning is proving invaluable in cyber security, but on its own its only one half of the puzzle. Organizations need to marry this data with the insight and structure that ICS security experts provide to these techniques to make them effective.

While standard networking and cybersecurity tools rely heavily on direct programming, machine learning solves problems by programming algorithms that use AI to learn from data. With the input of experts who have a deep understanding of ICS cybersecurity, structures are created that allow the machine learning algorithm to view and interpret network and process data correctly. Once AI algorithms are enabled in this way, they can rapidly analyze the high volumes of ICS data that are impossible to evaluate any other way.

This data analysis is used to develop process and security profiles specific for each ICS. Once baselines are established, behavioral analytics are used to constantly monitor them. The result is the rapid identification and alerting of cyberattacks, cyber incidents and critical process anomalies. This information can be used to prevent, contain or mitigate cyber threats or process incidents before significant damage can occur. The data analysis is also invaluable in reducing troubleshooting and remediation efforts.

Increasing cyber threats, management fears and government policies are driving power generation, substation and electric grid operators to improve the resiliency of their systems with enhancements to their ICS cybersecurity programs. Five years ago, it was very difficult to have real-time visibility and cybersecurity of industrial control networks. That has changed.

The scale and complexity inherent in substation and power grid systems makes identifying anomalous and harmful incidents complex, but that doesn’t mean they can’t be found. Just like the right equipment will eventually find the needle in the haystack, it is now possible to have comprehensive ICS cybersecurity that addresses the advancing threat environment in a manner that reduces cyber risks while improving operational excellence and reliability.

About the Author

Edgard Capdevielle is CEO of Nozomi Networks and possesses an extensive background in successfully managing and expanding markets for both start-ups and established technology companies. Previously, Edgard was Vice President of Product Management and Marketing for Imperva, where he led teams that made the company’s web and data security products leaders in their space. Prior to that, he was a key executive at storage companies Data Domain and EMC. Edgard has a MBA from the University of California at Berkeley and a Bachelor’s degree in Computer Science and Electrical Engineering from Vanderbilt University.